Audit mode

Audit mode is triggered by the policy controller, which will create an authorization named "audit" allowing traffic for the given target. When the proxy processes an authorization with such name it will log it at INFO. Also, add "audit" to the possible values for `LINKERD2_PROXY_INBOUND_DEFAULT_POLICY`, whose effect is the same as "all-unauthenticated".
linkerd · Jul 15, 2024 · a3f0e53 · a3f0e53
1 parent c55c053
commit a3f0e53
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 2 deletions.
diff --git a/linkerd/app/inbound/src/policy/http.rs b/linkerd/app/inbound/src/policy/http.rs
@@ -202,7 +202,25 @@ impl<T, N> HttpPolicyService<T, N> {
             .iter()
             .find(|a| super::is_authorized(a, self.connection.client, &self.connection.tls))
         {
-            Some(authz) => authz,
+            Some(authz) => {
+                if authz.meta.name() == "audit" {
+                    tracing::info!(
+                        server.group = %labels.server.0.group(),
+                        server.kind = %labels.server.0.kind(),
+                        server.name = %labels.server.0.name(),
+                        route.group = %labels.route.group(),
+                        route.kind = %labels.route.kind(),
+                        route.name = %labels.route.name(),
+                        client.tls = ?self.connection.tls,
+                        client.ip = %self.connection.client.ip(),
+                        authz.group = %authz.meta.group(),
+                        authz.kind = %authz.meta.kind(),
+                        authz.name = %authz.meta.name(),
+                        "Request allowed",
+                    );
+                }
+                authz
+            }
             None => {
                 tracing::info!(
                     server.group = %labels.server.0.group(),

diff --git a/linkerd/app/inbound/src/policy/tcp.rs b/linkerd/app/inbound/src/policy/tcp.rs
@@ -194,6 +194,19 @@ fn check_authorized(
     {
         for authz in &**authzs {
             if super::is_authorized(authz, client_addr, tls) {
+                if authz.meta.name() == "audit" {
+                    tracing::info!(
+                        server.group = %server.meta.group(),
+                        server.kind = %server.meta.kind(),
+                        server.name = %server.meta.name(),
+                        client.tls = ?tls,
+                        client.ip = %client_addr.ip(),
+                        authz.group = %authz.meta.group(),
+                        authz.kind = %authz.meta.kind(),
+                        authz.name = %authz.meta.name(),
+                        "Request allowed",
+                    );
+                }
                 return Ok(ServerPermit::new(dst, server, authz));
             }
         }

diff --git a/linkerd/app/src/env.rs b/linkerd/app/src/env.rs
@@ -1008,7 +1008,7 @@ fn parse_default_policy(
         "all-authenticated" => {
             Ok(inbound::policy::defaults::all_authenticated(detect_timeout).into())
         }
-        "all-unauthenticated" => {
+        "all-unauthenticated" | "audit" => {
             Ok(inbound::policy::defaults::all_unauthenticated(detect_timeout).into())
         }